"Oh sh*t," he mumbled. "I just broke the Internet." A True Story...Just Stunning ... LINK

This short account tells how Dan Kaminsky discovered a fatal flaw in the internet, and how it touched off a worldwide race to fix it before hackers learned about it.

Just stunning in its implications....

http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky?currentPage=all

Secret Geek A-Team Hacks Back, Defends Worldwide Web

"Kaminsky froze. This was far more serious than anything he could have imagined. It was the ultimate hack. He was looking at an error coded into the heart of the Internet's infrastructure. This was not a security hole in Windows or a software bug in a Cisco router. This would allow him to reassign any Web address, reroute anyone's email, take over banking sites, or simply scramble the entire global system. The question was: Should he try it?

The vulnerability gave him the power to transfer millions out of bank accounts worldwide. He lived in a barren one-bedroom apartment and owned almost nothing. He rented the bed he was lying on as well as the couch and table in the living room. The walls were bare. His refrigerator generally contained little more than a few forgotten slices of processed cheese and a couple of Rockstar energy drinks. Maybe it was time to upgrade his lifestyle.

Or, for the sheer geeky joy of it, he could reroute all of .com into his laptop, the digital equivalent of channeling the Mississippi into a bathtub. It was a moment hackers around the world dream of—a tool that could give them unimaginable power. But maybe it was best simply to close his laptop and forget it. He could pretend he hadn't just stumbled over a skeleton key to the Net. Life would certainly be less complicated. If he stole money, he'd risk prison. If he told the world, he'd be the messenger of doom, potentially triggering a collapse of Web-based commerce.

But who was he kidding? He was just some guy. The problem had been coded into Internet architecture in 1983. It was 2008. Somebody must have fixed it by now. He typed a quick series of commands and pressed enter. When he tried to access the Fortune 500 company's Web site, he was redirected to an address he himself had specified.

"Oh shit," he mumbled. "I just broke the Internet."

MORE

... and it makes you stop and think there are likely other 'fatal flaws' out there, which could impact us all.

Secrecy in producing and distributing programming code leads to just this kind of disaster.

A short step to discovering the same was exploited in electronic voting machines....

Here is what might have happened if someone without a conscience like me had discovered this bug (Not that I could - I am a bit lame when it comes to programming)

I would take over the entire banking system of every major bank in the world.
Then I would release money only to individuals that were of no consequence. And to corporations who did actual production of goods. Hedge fund managers and people shorting the market would find themselves "shorted" overnight.

Arms dealing merchants would suddenly find themselves penniless. Various funds nestled inside the Pentagon's arms procurement programs would be down in value by a lot too. As well as procurement departments of all other nations.

IMF Fund and World Bank would be broke, and so would the rulers of those establishments.

Smallish mid-sized do-good associations would have some serious cash influx. Any organic farmers needing cash loans would have them.

The election campaign chests of everyone running for President but Ron Paul and Kucinich would have been suddenly "disappeared." Those "disappeared" funds would appear in the bank accounts of everyone running as a "green" or a progressive and radical Democrat.

And on and on.

Kaminsky might be great at programming, but he suffers from a dearth of imagination. On account of him tattling to the authorities, we are all sitting at the edge of our seats wondering what further bad news the Paulson economy will be dispensing tomorrow. It would have been far better if the person catching this flaw had had some real imagination.

It'd be more like suddenly finding you could program your cell phone to receive calls for whatever # you wanted. Sure, you could program with the # of some famous or powerful people, but how much would you be able to do by impersonating them before they started to notice? No way would it let you play god...although it would give you the powers of a minor-league superhero, or supervillain depending on your alignment.

Dream big - can't they??

:toast:

Thanks for the link.

I can't believe that Ptacek guy couldn't keep a lid on the secret when so many others did.

Kaminsky was the real person worth commenting on though, a real Frodo Baggins style hero. This guy absolutely had the ring of power in his hands, he could have done anything. But he did the right thing, took it to Gandalf, and the fellowship threw it into mount Doom. I hope this guy gets the respect he deserves for his actions.

I know next to nothing about computers and even I understood what they were talking about. Well done.

I always appreciate when people can write about tech-y issues in a way that's accessible to everyone.

"The Cuckoo's Egg" written in 1990. Cliff Stoll, an astronomer at Lawrence Berkley National Laboratory (grad student if I remember correctly), was assigned to find out why there was a $0.75 accounting error in the computer usage accounts and his efforts led to eventually catching a German computer hacker who was not only breaking into university computer networks but also into military installation computer networks. Stoll's effort led to the conviction of the German hacker who was selling anything he could find to the KGB. It was amazing to see how the FBI, the CIA, and the NSA first reacted when they were informed that someone was hacking into US military computers (they weren't interested at first).

I'm not meaning to hijack the thread but rather make the point that Stoll's book was very easy to follow like this article was no matter how computer savvy a person might be. It was a fun read.

Edit: typo.

Both this and "Cuckoo's Egg" were interesting even to the technologically barely-literate.

Highly recommended.

... millions of dollars transferred, and thousands of companies compromised.. and credit card transactions fraudulently placed, and identities stolen...

just a real bag full of nightmares....

Great.

Great story. Just read it from start to finish. This guy is terrific. He's an honest man, someone
with a sense of integrity and professionalism. He's lucky that he contacted Vixie, who also comes
across as quite decent, willing to accept a radical flaw quickly and act on it.

There are many smart people out there, off the pathways of publicity and power, who just figure things
out. Kaminsky is a giant among them. So's that 12 year old Beaverton, Oregon who figured out how
to maximize solar cells by a factor of 500.

Who needs the self important "morans" who think that they govern. This was all people and their
personal integrity getting the job done for the whole damn world.

and disclose what he found even when they did fix it? Does anyone get the fact this guy is a publicity whore?

The Internet is by and large controlled by corporate interests whose first inclination upon discovering things like this is covering it up or finding some way to use it to their advantage. Or, they blame the people that found the flaw in the first place.

This is a now age-old story. Hackers had skills in the 60's and 70's they tried to put to good use, but based on the actions of a relative few, they were painted as criminals for their efforts. People tried to tell AT&T, for example, of all the holes in their system. Those people ended up in jail or on the short end of a bargaining stick where they later got hired and promptly forced to shut up about it else go to jail.

At some point the real hackers, as opposed to the script kiddies, took their intellect and let it expand beyond the technical into the PR arena. Thus, you have Black Hat, etc.

What he did is now SOP when independent hackers find flaws.

It has its own culture and this is a traditional method of tech leverage. What's dishonest is knowing that the program/ computer/ network is fundamentally flawed and keeping it a secret in order to cover your ass.

Hero's don't threaten news conferences. Assholes do.

it and then I'm telling the world" part. That's when my admiration screeched to a halt.
That being said, I'm not sure how panicked I should feel about that last statement:
"There is no saving the Internet," he said. "There is postponing the inevitable for a little longer."

and it's patched and I am POSITIVE he got paid off, who is the author kidding? These krackers don't give a shit about the world, all they care about is their 15 minutes.


:hi:

of fame.

Didn't Joe the Plumber give a good enough demonstration of what can be done with that fame time?

...to which Kaminsky agreed. Had he chattered away on message boards, black hats would have exploited the hell out of the flaw, crippling e-commerce, e-mail and general network security, not to mention crashing the stock market. Despite his grandstanding there at the end of the article, we owe him thanks.

I don't understand the "all they care about are their fifteen minutes" meme. Kaminsky could have had a lot more and longer-lasting fame than he received, but he did things more or less correctly. He did help save the Internet.

he does not deserve the accolades. Like I said earlier, real heroes are invisible. They don't need press conferences.

...but it could apply, I suppose, to Kaminsky's initial handling of his discovery. I don't care, much, that he enjoyed his press conferences; they were necessary, IMO, to impress upon the world the need for a long-term fix. The few accolades he received at the time were, IMO, appropriate, even if people like Vixie are going to be designing the ultimate repair.

I have quite a bit of trouble advising network administrators to apply ordinary security fixes for immediate risks. Few of my customers are addressing the larger problem, and almost none of them have ever heard of Kaminsky.

Security researchers are in a tough bind. If they let the holes become known, they get exploited rather quickly. If they don't release the information, no one finds out about how to make software more secure or that a problem exists. Plus, a lot of companies drag their feet on patching problems without the threat of holes being revealed. The ISP our company uses was very slow in implementing this fix. If the dire warnings were not out in the open I doubt if they would have it patched today.

Institutions don't move unless they're frightened.

1. It gave the DNS guys that extra motivation needed to get a fix ASAP.

2. If he didn't go public, one of the others would and that person would get the credit with the wider press, and the increased job opportunities/other exploitation that goes with it. That was demonstrated in the story, in the matter of the security asshole who leaked the story public in spite of agreeing not to.

Regardless of what his motives were, I think it was a smart strategy in the long run.

He knew who he was dealing with, he knew what he was doing.

His choice was pretty fucking simple; Fleece the world, or be a good guy with strings.

He wanted to get something for saving the www. If you fault him for that, then you're just telling everyone else to rape us all... because there's no profit in doing right.


Actually fucking think about it.

or sell it to the highest bidder to do so. He didn't want the NSA, for instance, to be able to wreak havoc on individuals or businesses of their choosing completely undetectably. Or even worse bankrupt entire countries. Alternatively, without either a fix or exposure, the likelihood that the next hacker or series of hackers to uncover it would use it criminally was high.

It takes a real stretch to attribute ugly motives to someone who just voluntarily gave up infinite riches and power.

There's a concept known as Full Disclosure and it keeps people from playing ostrich when confronted with catastrophic security news. He gave ample warning and dislosure of an exploit that had the potential to cause serious harm to the real world before going public. He didn't threaten a news conference, he said he would give a talk at DEFCON 16. Gosh, pretty SOP for someone who discovers an exploit they don't intend to, um exploit.

Video of the presentation at media.defcon.org/dc-16/video/dc16_kaminsky/dc16_kaminsky_cache.m4v

-Hoot

would be the flaw being used by "intelligence" agencies and black-hat hackers wreaking havoc, since the "leaders" of our corporate overlords would, without question, react with "let's pretend we don't know about this (except as we can use it for ourselves)".

Look at what your industry has done to so many discoveries and inventions it has been able to keep bottled up.

This would make a great script!

Have you seen it?

I was surprised it was a cut above what one would otherwise expect of that Bruce Willis character.

It's not exactly the same plot line, but the concept of someone figuring out how to take over the government's most sensitive computer systems using code was a key.

:)

If I was making a film out of this nobody would care unless there were people after him with guns. Rule #1 of sympathetic computer nerds in Hollywood is that they either must die or be pursued for most of the film by people who are shooting at them in order to The Data, the only copy of which is stored on a piece of cheap consumer storage media. You really need to get out more.

Seriously, It is a good story but to get drama you have to have a ticking clock under the control of some Bad Guys. Stories about computer geeks (of whom I am one) don't work that well, for the same reason you don't see many films about accountants or safety inspectors. Whistleblower movies only work if it ends up with a court battle.

I like Kaminsky though. I know him from another board, where he posted a lot of supplementary information about this story (at other readers' request). It's sort of an Emperor's New Clothes kinda case; as soon as I read the first few paragraphs I understood exactly what the flaw was, but like most others I had always assumed it wasso obvious (like an open door at a bank) that it was protected against in other ways by administrators who had just left the seeming flaw alone for compatibility reasons.

... because companies with a public persona do not want to raise the public awareness that they could be had.

Here's the author.

http://www.joshuadavis.net/bio.html

An interesting story, but I'm a bit put off by the breathlessness of it all. DNS is definitely used in serving webpages, but a few paragraphs cloud the difference between a hostname and a web page. The cellphone paranoia was too much.

One of the comments at your link provides this link:

http://cr.yp.to/djbdns/forgery.html

It looks like people weren't serious about protecting the security of the internet.

Is it true that the reason many people dislike Bill Gates is because he is reluctant to fix security deficiencies with his software?

Microsoft puts out patches and hotfixes all the time... and that's the problem: they release software that's full of holes and needs constant patching.

In the James Bond movie "Tomorrow Never Dies," the villain is mixture of Rupert Murdoch and Bill Gates (primarily the former, though), and they made a reference to this feeling. At one point, he's talking via satellite with the head of his software division, checking on the status of the latest operating system. The man replies, "It's done, sir. As requested, it's full of bugs, so people will be forced to upgrade for years." He replies, "Outstanding."

In one of his .pdfs, it says you've got to figure out the server's public key. Kaminsky appears to have bypassed that step, or found a ridiculously simple way to get that key.

... I keep hearing how secure the Net is, and how all commerce is shifting to internet based transactions, and then I read an article like this one. I'm not convinced.

I tend to agree with the Kaminsky statement that the present Internet won't survive, but will be nursed along for a while longer until a newer more secure system can be constructed and placed into service.

In the meantime, the computer security industry will continue to have job security as they try to plug the multiplying holes in the dyke holding back hackers and thieves.

:kick:

I don't agree with the author: I'd substitute "stocky" for "slightly overweight".

What that is I am sure will be found eventually. What a trip that will be!

Or porn!


          Or further reflection, nah, I'd rather have some Arby's

:kick:

current financial fiasco, espec since large institutions are loathe to publicize the extent of their cyber vulnerabilities?

how can anyone know that all the money thay went down the rabbithole may have had much to do with this DNS mess?

since nobody else mentioned it, I imagine I'm offtrack, but, not knowing much about the nets, or the byzantine financial depredations that got us where we are today, I was just wondering

thoughts?

.......

Yet another reason I am glad that I subscribe to Wired.

Very interesting article. What I am curious about is who would have to be applying this patch to their systems? Would this be something, for example that Microsoft would patch automatically with their updates?

I am wondering about our server at work. I set it up with Microsoft Small Business Server and I regularly install Microsoft's updates, and while I know a fair amount about computers - enough to get it up and running without problems and network the office, I don't know if that's a patch an individual company would need to worry about putting on their computers manually or if that is something the internet provider would take care of. I'm just a landscape architect who also works on the computers at work.

Any computer people know about this?

Meg

I love that movie.

Yeah I love that flick as well :)

THAT was a fun article to read.

:kick:

This entire article is an exaggeration.

I know someone who was at the conference

what the hell would the rest of them done with the info.He is a hero.

How cute" I just broke the internet." Imagine if people from this administration had gotten a hold of that info or any exec of almost any big business?The crooks would have looted for sure.

He is a giant hero.I guess we could have an internet down like they thought in K2000.Remember?

If he was a tough talking but somehow vulnerable woman who sorta looked like Carrie Anne Moss he'd already have a multi-million dollar media contract.



http://en.wikipedia.org/wiki/Carrie-Anne_Moss

Once upon a time there were two groups. The Hackers were the good guys. The Crackers were the bad guys. A true hacker would be this Kaminsky. A True cracker would be what Vixie worried about coming over a cell phone. But today everything things hackers are bad guys. Wish it was grouped together again. Not even sure where the merging began. Couldn't be the movie could it (Hackers)

And the movie will be finaced by the Church of Scientology.

This is a role for the Valkyrie!

Tom Cruise is already reading "treatments."

Blecccch!



Get On The H.O.R.N.!
www.HeadOnRadioNetwork.com
America's Liberal Voice

:puke:

:puke:



Get On The H.O.R.N.!
www.HeadOnRadioNetwork.com
America's Liberal Voice

http://www.wired.com/politics/security/magazine/15-09/ff_estonia

Similarly readable. Wow, I had no idea such things were going on. I wonder if the two incidents were related? I wonder too, about an article I read just after the election, about both Obama's and McC's computers being hacked during the summer.

And "botnets"? Jeez, I never heard of that either. Any of us could be used in that and never know it. That might explain why sometimes our computers work like shit, wouldn't it though?

Thanks Blackhatjack, that was fascinating. (I'm sorry it's too late to "rec".)

Did someone clean out or discover something at key big companies before they updated DNS corporate servers....

Use known Windows methods to hack in then compromise the internal DNS servers that are thought to be untouchable.

Suddenly someone got in tried to steal and found the books cooked and burned and BOOM....all the sudden people saw that some of these securities and investment vehicles were Flintstones cars and their companies were worthless.

??